There is a major problem with the “Hotlink Protection” feature of cPanel. To summarize the issue, allow me to quote a recent email sent to a completely unresponsive tech support department:

…The problem is that if I try to include any rewrite rules for permalinks, hotlinking, or blocking spambots, cPanel automatically enables its “Hotlink Protection” feature. And, even worse, it automatically adds every URL from every rewrite rule (even the ones for blocking spambots) to its “auto-discovered” list of URL’s for which image access is allowed. This means that every spammer that I am trying to block now has access to my images! If I try to remove the spammers directly from the “allow-image-access” list, the associated rewrite rules are automatically removed from my htaccess file, thus giving spammers full access to my entire site (instead of just access to images). So, it is indeed the case that I can’t add any rewrite rules to my site’s root htaccess file without cPanel automatically assuming that every URL on the page is related to hotlinking and subsequently adding them all to the “allow-image-access” list…

In other words, cPanel screws up htaccess rewrite rules via its “Hotlink Protection” feature. More specifically, spammers and robots that are denied site access via root-htaccess rewrite rules are automatically listed in the “allow access to images” field of the Hotlink Protection panel. Not good. Even worse, disabling Hotlink Protection automatically removes every rewrite rule from the htaccess file. Such bizarre functionality forces the user to choose between complete hotlink protection and other essential features such as pretty permalinks or spam blocking. Pretty sucky if you ask us. Nonetheless, here is a concise summary of the problem with the cPanel Hotlink Protection (cHP) feature:

cHP enables itself when any rewrite rules are added to the root htaccess file

cHP includes every URL associated with such rewrite rules to its list of sites allowed access

cHP removes every rewrite rule from the root htaccess file when cHP is manually disabled

cHP deletes rewrite rules associated with any URL selectively removed from its whitelist

Therefore, based on the automatically perpetuated behavior of cHP, it appears impossible to enjoy htaccess hotlink protection along with any other rewrite-rule functionality. For example, you could employ hotlink protection but not WordPress permalinks. Likewise, to block spammers and scrapers, you would have to sacrifice hotlink protection. With cHP, it’s one or the other — you simply can’t have both!

This problem happened to me today (files screwed up after disabling cHP manually). I’m not an expert at all. Only my add-on domain did experience problems and none of the images were shown after disabling cHP manually.

After restoring a Full CPanel back-up I like to edit my .htaccess file adding a manual code for Hotlink Protection (with some permitted sites).
What do I need to do with the cHP-option? Keep it enabled or disabling it again with the risk that the files are going to be screwed up again? Does cHP adept itself to the lines of code you add manually to the .htaccess file?

I’ve long-since moved away from cpanel, but if I recall, the trick was setting .htaccess manually and then just NEVER visit anything in cpanel that has anything to do with it.

Another trick is knowing when the .htaccess file contains your code exactly and not the screwed-up stuff that cpanel does. So make the changes, view the file from the cpanel File Manager, and if it looks good, just never go back into any of those cpanel option areas.

If I recall, it was actually visiting/accessing those pages that caused cpanel to fudge up your .htaccess files. So configure .htaccess manually and stay away from cpanel’s hotlinking/htaccess pages.

Books

Links

About the site

Perishable Press is the work of Jeff Starr, professional developer, designer, author, and publisher with over 10 years of experience. Check out some of Jeff's books and projects, follow on Twitter, or learn more »

Fun fact: Perishable Press has been online since 2005, and now features over 700 articles and more than 11,000 comments. More stats »